Tuesday 31 July 2007

Be ready to compete in the F-Secure Reverse Engineering Challenge (http://www.khallenge.com) this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!

It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).

Send an e-mail to the address and you’ll get an URL in reply. Download the second challenge and repeat the process. And finally: download the third challenge and repeat the process.

Now honestly, I don’t expect Challenger to be of any help, except with a dictionary attack on the first challenge. Last year, the passwords for the second and third challenge were so long that brute-forcing was no option.

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

The binary tools I used for the YACoSTO post can be found here, I published them afterwards.

Contrary to what some of you might think, this is not a “I’m on holiday” post😦 . We took a short cruise in June. My sister-in-law, a professional wedding film producer, shot this movie (YouTube) during our holiday, hires version here. Absolutely no malware, hacking, revering, … in the movie, just holidaying.

Tuesday 24 July 2007

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

See how easy it becomes understanding what this malware does once you have the source code:

the URLs are defined in variables at the beginning

you can see from where the malware downloads updates and where they get installed

how it disables tools that can help you clean the infected machine, like Task Manager

that it tries to spread via IM applications

…

And did you notice the folder under F:\Documents and Settings at the beginning of the script? Oops!

When I submitted this malware to VirusTotal, only 4 AV engines detected it (July 18th 2007).

I played with the AutoIt compiler and decompiler and found some interesting things, I’ll probably blog about this later. Here is a hint: when you password-protect a compiled AutoIt script, you have to provide the password to decompile it, but not to execute it. Can you guess what this means?😉 Post your answer in the comment section!

Tuesday 17 July 2007

entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.

the Save command also supports HTML.

support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}

registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.

Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded🙂

Tuesday 3 July 2007

The Firefox add-on BlockSite by Erik van Kempen allows you to maintain a blacklist of sites you want to block for surfing. I extended his add-on with a whitelist: in stead of specifying the sites you want to block, you can decide to specify the sites you want to allow, and all other sites will be blocked. Erik has integrated my code in his add-on:

Version 0.5 — December 30, 2006 — 34 KB

[+] Whitelist/Blacklist feature (by Didier Stevens): Choose if the list is a blacklist or a whitelist.
[~] Password protection still pending (unfortunately), most probably in next major release

Reverse engineering a Firefox add-on is really simple. The file format for add-ons, XPI, is in fact a ZIP file. After unzipping the XPI file, you’ll find a JAR file (again, this is also based on ZIP). Unzip the JAR file and then you can analyze the JavaScript and XUL files.

You can also load an unpacked Firefox add-on in Firefox to test and debug it, how is explained here.